Closed
Bug 296626
Opened 20 years ago
Closed 20 years ago
Deer Park crashes, when loads xml with xsl stylesheet(transforming to svg) crash [@ nsStyleContext::ApplyStyleFixups a00d3007 ]
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
RESOLVED
FIXED
People
(Reporter: sendmail.to, Assigned: bzbarsky)
References
Details
(Keywords: crash)
Crash Data
Attachments
(3 files, 2 obsolete files)
|
941 bytes,
text/xml
|
Details | |
|
209 bytes,
text/xml
|
Details | |
|
2.26 KB,
patch
|
dbaron
:
review+
roc
:
superreview+
brendan
:
approval1.8b3+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050603 Firefox/1.0+
See attached files, wenn loading test.xml file, Deer Park will crash.
(I will attach also the detail.txt from the Feddback Agent if no one can
reproduce this Bug.)
Reproducible: Always
Steps to Reproduce:
1. Open Deer Park
2. load the _test_.xml file via Drag and Drop or URI
3. Deer Park crashes
|
Reporter | |
Comment 1•20 years ago
|
||
|
|
Reporter | |
Comment 2•20 years ago
|
||
|
||
Comment 3•20 years ago
|
||
Could you post the talkback id please from
/components/talkback.exe
Summary: Deer Parkes crashes, when loads xml with xsl stylesheet(transforming to svg) → Deer Park crashes, when loads xml with xsl stylesheet(transforming to svg)
|
|
Reporter | |
Comment 4•20 years ago
|
||
I didn't send a "talkback-package", because of no Internet Conection at the
testing PC.
But i have saved the Output in a file.
|
|
||
Comment 5•20 years ago
|
||
I managed to get the files to run locally, will try to fix the test cases so
they run online.
Firefox crashes with TB - TB6386078X
-> New
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Comment 6•20 years ago
|
||
Talkback Data
Stack Signature nsStyleContext::ApplyStyleFixups a00d3007
Product ID FirefoxTrunk
Build ID 2005060306
Trigger Time 2005-06-04 09:28:36.0
Platform Win32
Operating System Windows NT 5.1 build 2600
Module firefox.exe + (001ec32f)
URL visited
User Comments
Since Last Crash 8580 sec
Total Uptime 8580 sec
Trigger Reason Access violation
Source File, Line No.
c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/style/nsStyleContext.cpp,
line 360
Stack Trace
nsStyleContext::ApplyStyleFixups
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/style/nsStyleContext.cpp,
line 360]
nsCSSFrameConstructor::ConstructMathMLFrame
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 6816]
nsCSSFrameConstructor::ConstructHTMLFrame
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 5263]
nsCSSFrameConstructor::ConstructFrameInternal
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 7630]
nsCSSFrameConstructor::ConstructFrameInternal
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 7538]
nsCSSFrameConstructor::WrapFramesInFirstLineFrame
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 11868]
nsCSSFrameConstructor::ConstructPageBreakFrame
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 7447]
nsCSSFrameConstructor::ConstructFrameInternal
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 7664]
nsCSSFrameConstructor::ConstructFrameInternal
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 7538]
nsCSSFrameConstructor::WipeContainingBlock
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 13168]
nsCSSFrameConstructor::ConstructInline
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 12982]
nsCSSFrameConstructor::InitAndRestoreFrame
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 6732]
nsCSSFrameConstructor::ReconstructDocElementHierarchy
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 7743]
nsCSSFrameConstructor::ConstructFrameInternal
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 7538]
nsCSSFrameConstructor::WrapFramesInFirstLineFrame
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 11868]
nsCSSFrameConstructor::ConstructRootFrame
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 4485]
nsCSSFrameConstructor::ContentInserted
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 9059]
PresShell::InitialReflow
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 2898]
nsXBLWindowDragHandler::nsXBLWindowDragHandler
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/xbl/src/nsXBLWindowDragHandler.cpp,
line 57]
nsXMLContentSink::HandleStartElement
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/xml/document/src/nsXMLContentSink.cpp,
line 940]
nsXMLContentSink::CloseElement
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/xml/document/src/nsXMLContentSink.cpp,
line 478]
txMozillaTextOutput::`scalar deleting destructor'
txMozillaXMLOutput::endElement
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/extensions/transformiix/source/xslt/txMozillaXMLOutput.cpp,
line 270]
txExecutionState::getVariable
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/extensions/transformiix/source/xslt/txExecutionState.cpp,
line 239]
txMozillaXSLTProcessor::ImportStylesheet
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/extensions/transformiix/source/xslt/txMozillaXSLTProcessor.cpp,
line 353]
Summary: Deer Park crashes, when loads xml with xsl stylesheet(transforming to svg) → Deer Park crashes, when loads xml with xsl stylesheet(transforming to svg) crash [@ nsStyleContext::ApplyStyleFixups a00d3007 ]
|
|
||
Comment 7•20 years ago
|
||
Stack suggests this is a dupe of bug 284889
|
|
||
Comment 8•20 years ago
|
||
|
|
||
Comment 9•20 years ago
|
||
|
|
||
Updated•20 years ago
|
Attachment #185344 -
Attachment is obsolete: true
|
|
||
Updated•20 years ago
|
Attachment #185345 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 10•20 years ago
|
||
You really want to reassign core bugs like this out of the Firefox product if
you want someone to look at them (eg I'm pretty close to automatically sending
all Firefox-product bugmail to /dev/null).
That said, before the crash I get the following:
###!!! ASSERTION: invalid container: 'Error', file
../../../../../mozilla/layout/svg/base/src/nsSVGPathGeometryFrame.cpp, line 851
###!!! ASSERTION: Null outerSVGFrame: 'Error', file
../../../../../mozilla/layout/svg/base/src/nsSVGPathGeometryFrame.cpp, line 787
(so we seem to have some invalid SVG here....) This is repeated 5 or 6 times.
Then I get:
###!!! ASSERTION: No style context found!: 'mStyleContext', file
../../../mozilla/layout/generic/nsIFrame.h, line 606
And then:
Program received signal SIGSEGV, Segmentation fault.
(gdb) frame
#0 0xb608e02b in nsCachedStyleData::GetStyleData (this=0x1c, aSID=@0xbfffcf90)
at nsRuleNode.h:210
Note the bogus |this| pointer. More precisely, we have an nsSVGGlyphFrame with
a null mStyleContext. This happens because nsSVGGlyphFrame::Init bails out with
NS_ERROR_FAILURE before setting mStyleContext if it has no outer SVG frame. But
nsCSSFrameConstructor::ConstructTextFrame (which is what constructs glyph
frames) never checks the rv of InitAndRestoreFrame, so the not-initialized frame
happily ends up in the tree and later crashes.
First we should always make sure to set mStyleContext before bailing out of Init
(anything done by nsFrame::Init MUST be done before local init starts,
basically; I realize that the current design of the SVG frame stuff makes this
really hard, which is why nsFrame::Init isn't even being called). Second, the
caller should check the rv of InitAndRestoreFrame and do something sane.
Oh, and this isn't related to bug 284889.
Assignee: nobody → general
Component: General → SVG
Flags: blocking1.8b3?
Keywords: crash
OS: Windows XP → All
Product: Firefox → Core
QA Contact: general → ian
Hardware: PC → All
Version: unspecified → Trunk
|
||
Comment 11•20 years ago
|
||
Boris/dbaron/tor/jwatt, what can we do for 1.8 here?
Assignee: general → bzbarsky
Flags: blocking1.8b3? → blocking1.8b4?
|
|
||
Comment 12•20 years ago
|
||
Attachment #187720 -
Flags: superreview?(roc)
Attachment #187720 -
Flags: review?(dbaron)
Attachment #187720 -
Flags: review?(dbaron) → review+
|
|
||
Updated•20 years ago
|
Flags: blocking1.8b4? → blocking1.8b4+
Attachment #187720 -
Flags: superreview?(roc) → superreview+
Attachment #187720 -
Flags: approval1.8b3?
|
|
||
Comment 13•20 years ago
|
||
Comment on attachment 187720 [details] [diff] [review]
get the frame in a usable state, delete if Init failed
Sounds like this is a good thing to get into 1.8b3, but bz said "we probably
have other similar bugs lurking around". Should another bug be on file?
/be
Attachment #187720 -
Flags: approval1.8b3? → approval1.8b3+
|
|
||
Comment 14•20 years ago
|
||
Checked in. Bug 299351 filed to remind us that we should doublecheck the rest
of the svg frames.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
|
|
||
Comment 15•20 years ago
|
||
*** Bug 296806 has been marked as a duplicate of this bug. ***
|
||
Updated•14 years ago
|
Crash Signature: [@ nsStyleContext::ApplyStyleFixups a00d3007 ]
You need to log in
before you can comment on or make changes to this bug.
Description
•